The second Tuesday of the month is upon us, and this translates to only one thing in the world of IT security: Patch Tuesday. Microsoft has released fixes to address 113 vulnerabilities, with 15 of them being Critical. With most of the workforce adopting remote work, IT admins are going to have a challenging time scheduling and installing the updates released this Patch Tuesday.
After an initial discussion about the updates released, we’ll offer our advice for devising a plan to handle patch management for remote devices.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. It is on this day that Microsoft releases security and non-security updates for its operating system (OS) and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins are well-informed and have time to gear up for the new updates.
Why is Patch Tuesday important?
The most important security updates and the patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
Highlights of April Patch Tuesday
Security updates were released for the following lineup of products:
-
Microsoft Windows
-
Microsoft Edge (EdgeHTML-based)
-
Microsoft Edge (Chromium-based)
-
ChakraCore
-
Internet Explorer
-
Microsoft Office and Microsoft Office Services and Web Apps
-
Windows Defender
-
Visual Studio
-
Microsoft Dynamics
-
Microsoft Apps for Android
-
Microsoft Apps for Mac
Zero-day vulnerabilities and public disclosures
Microsoft has patched four zero-day vulnerabilities, out of which three are being actively exploited. The much-awaited fix for the Adobe Font Manager remote code execution zero-day vulnerabilities has also been released. The CVE IDs are CVE-2020-0938 and CVE-2020-1020. Before you install the updates, ensure that you undo the work-around suggested for these vulnerabilities.
The other publicly released vulnerability is CVE-2020-0935, a OneDrive for Windows elevation of privilege vulnerability. The other publicly exploited vulnerability is CVE-2020-0968, a scripting engine memory corruption vulnerability.
Critical and noteworthy updates
This Patch Tuesday comes with 15 Critical updates and 93 Important ones. The Critical updates are:
It is recommended that you give priority to the patches mentioned above, followed by the other Important patches.
Non-security updates
Microsoft has released cumulative updates for Windows 10 that include the non-security updates KB4549951 and KB4549949. Starting next month, Microsoft is planning to pause non-security updates and roll out only security updates.
Best practices to handle patch management in the current work-from-home scenario
In the wake of COVID-19, most organizations have opted to completely shift to remote work. This decision poses various challenges to IT admins, especially in terms of managing and securing endpoints. Here are a few pointers to ease the process of remote patching.
-
Disable automatic updates, as one faulty patch might bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Desktop Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
-
Create a restore point, a backup or image that captures the state of the machines, before deploying big updates like those from Patch Tuesday.
-
Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what has to be done from their end, for instance, that they need to connect to the VPN for three hours from 6pm to 9 pm.
-
Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
-
Since most users are working from home, they might not adhere to strict timings; therefore, allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience, thereby not disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
-
Most organizations are patching using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical and security updates first. You might want to hold off on deploying feature packs and cumulative updates, as they are bulky updates and consume too much bandwidth.
-
Schedule the non-security updates, as well assecurity updates that are not rated Critical, to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
-
Run patch reports to get a detailed view of the health status of your endpoints.
With Desktop Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor the patch tasks according to your current situation. For hands-on experience with either of these products, start a 30-day free trial and keep thousands of applications patched and secure.
Want to learn about the Patch Tuesday updates in detail? Join our experts as they break down the Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and have them answered right away. Register for our free Patch Tuesday webinar!